Best Practices for IT auditing - Is a session-id necessary for a complete audit trail?

#1
I am looking for references to specific standards, or otherwise credibily citable sources to support the following conjecture:

For data that is classified highly confidential (ie HIPAA), to be comprehensive, a system AUDIT TRAIL should consider the following:

A) How important is a session id, which serves as a session data label to encapsulate all actions and sub-processes a single user does while logged into a specific session?

Our newly delivered system records some information on each individual process (including username, timestamp, ipaddress), but does not generate or record a session_id, which uniquely identifies the session from which all other subprocess actions get executed.
How important is this to have a session_id? Throughout my 20 years experience that type of information has always been available. Now I manage an application that does not have such an ability (to identify a specific session), and the necessity for such a session_id has been called into question.


B) When processing occurs, each individual form, or interface, gets recorded in the application, but not in the database. My question is, how important is it that this information gets recorded to in the database, vs an being recorded into application logfile?

Right now, it is only being recorded in the app side. Only the SQL statement (but not by whom, or source_ip, etc) is being recorded on the database side. (It could be done though if the application passes a process id to the database).
How important is it to have seperate, but reconsilable logs of SQL events from both the database side and application side?


Other type of information I think is important to build AUDIT TRAIL controls around to capture . . .

data out per session
# records out per session

Changes of permissions granted to users groups, and roles onto objects
Changes of user assignments to security groups and roles
Changes to application code and objects
Changes to data structures
Changes to configuration


I am looking authoritative sources that state these type of explicit AUDIT TRAIL controls are a good idea and are in keeping with some type of "best practices".

ISO, HIPAA, NIST, and other frameworks use language that supports the kind of specifics I enumerated here, but they don't enumerate any details (other than logon, logout data, and tracking changes to data).
I am looking for these specific AUDIT TRAIL targets to be enumerated by citable authority, because without prior examples I can show out in the wild, it is unlikey we will get the resources to build out and monitor the controls I described herein.

Help please with pointers to references?

Thanks in advance!
 
Elsmar Forum Sponsor
Thread starter Similar threads Forum Replies Date
H Quality Management Best Practices for Internal Auditing Internal Auditing 6
Marc Auditing - Best Practices General Auditing Discussions 52
A What are Practical data center best practices IEC 27001 - Information Security Management Systems (ISMS) 0
optomist1 Mobility Field Manufacturing Best - Worst Practices Manufacturing and Related Processes 5
N Best practices for capturing audit objective evidence in a practical manner? Internal Auditing 3
Z Best Practices - small volume medical device tube cutting (0.020" to 0.080" OD)? Manufacturing and Related Processes 3
M Over-labelling - Any requirements or best-practices? Other Medical Device Regulations World-Wide 0
M Informational DITTA White Paper on Cybersecurity: Best Practices in the Medical Technology Manufacturing Environment Medical Device and FDA Regulations and Standards News 0
M Informational BSI – MDR Documentation Submissions Best Practices Guidelines Medical Device and FDA Regulations and Standards News 0
P How to have employees buy-in of quality procedures. Best practices? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
C Will anyone please share training material for ISO:13485:2016 for best practices Training - Internal, External, Online and Distance Learning 0
M PCBA Drawing Best Practices IPC Class 3 ISO 13485:2016 - Medical Device Quality Management Systems 1
Ron Rompen Best Practices in CMM Correlation Studies General Measurement Device and Calibration Topics 3
S Referencing procedures on Control Plans - Best Practices FMEA and Control Plans 3
Roberticus Best practices for parts washer conveyor to belt transitions Manufacturing and Related Processes 2
M What do the terms "Lessons Learned" and "Best Practices" mean ? Preventive Action and Continuous Improvement 2
U Nonconformance Training in Best Practices 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 13
D ESD Policy Content Best Practices Manufacturing and Related Processes 8
S Best Practices - Form Completion Document Control Systems, Procedures, Forms and Templates 9
D Best Engineering Practices related to Top Assembly Drawings Document Control Systems, Procedures, Forms and Templates 6
kedarg6500 Best Practices for Receipt Quality (Automotive Industry) Supplier Quality Assurance and other Supplier Issues 7
kedarg6500 Receiving Inspection Documentation Best Practices Supplier Quality Assurance and other Supplier Issues 2
R Medical Device Software - Final Field Testing Best Practices IEC 62304 - Medical Device Software Life Cycle Processes 5
D ISO 14971 - Risk Analysis Best Practices ISO 14971 - Medical Device Risk Management 5
R Best Practices in the Control of Cleaning Materials Document Control Systems, Procedures, Forms and Templates 1
J Three Best Practices and Lessons Learned in APQP APQP and PPAP 1
B FMEA Ranking Rating Best Practices FMEA and Control Plans 10
G ISO 9001 Clause 5.5.3 Communication "Best Practices" ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 11
S Industry Best Practices for managing outside Engineering Consultants Design and Development of Products and Processes 3
F Promoting Best Practices in a Company Quality Manager and Management Related Issues 22
N Control of External Documents - Best Practices for Control of External Forms Document Control Systems, Procedures, Forms and Templates 2
M Best Practices for Oncology Services - New Breast Patients (Surgery) Clinic Hospitals, Clinics & other Health Care Providers 4
M Approval of Procedures - Best Practices Document Control Systems, Procedures, Forms and Templates 34
N Sheet Metal Identification Ideas - Best Practices for Identifying Raw Material Document Control Systems, Procedures, Forms and Templates 8
N What are Best Practices for Safe Handling and Storage of Oily Rags? Occupational Health & Safety Management Standards 7
T Gage R & R Study "Best Practices" - More than three operators? Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 8
D Best Practices for Safe Handling of Rented Hospital Mattresses Hospitals, Clinics & other Health Care Providers 4
D Industry Standard or rules or best practices pertaining to Automotive Process Flows? APQP and PPAP 3
M Marketing Communication Change Control - Identifying best practices ISO 13485:2016 - Medical Device Quality Management Systems 4
M Information Technology Record Retention time best practices Quality Management System (QMS) Manuals 2
M Do anyone have a book or a guidelines or best practices about Iso9001:2000 in service ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 2
W Lean in the UK - Seeking contacts to share best practices Lean in Manufacturing and Service Industries 5
K AS9100 6.2.2 - Internal ISO 17025 Laboratory - Clause 5.2 Personnel Best Practices ISO 17025 related Discussions 1
P Best practices for GMP training US Food and Drug Administration (FDA) 5
K Fastener bolt torque Best Practices - Assembling electronics components Manufacturing and Related Processes 7
L Injection Molding Quality Assurance - Best methods, practices, tools, education Manufacturing and Related Processes 10
K Best practices on the criteria to issue CAPA & expected response time? Preventive Action and Continuous Improvement 2
C I am looking for the best practices on calibration labeling General Measurement Device and Calibration Topics 5
S Certificate of Conformance/Compliance (CofC) - Share your best business practices AS9100, IAQG 9100, Nadcap and related Aerospace Standards and Requirements 23
T Recording Inspection Data - Best Practices - What do you folks do? Inspection, Prints (Drawings), Testing, Sampling and Related Topics 16
Similar threads


















































Top Bottom